CISA Questions (301 - 400)

Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: Select an answer: A. existence of a set of functions and their specified properties. B. ability of the software to be transferred from one environment to another. C. capability of software to maintain its level of performance under stated conditions. D. relationship between the performance of the software and the amount of resources used

You answered C. The correct answer is A. A. Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functionality of a system represents the tasks, operations and purpose of the system in achieving its objective (i.e., supporting a business requirement). B. The ability of the software to be transferred from one environment to another refers to portability. C. The capability of software to maintain its level of performance under stated conditions refers to reliability. D. The relationship between the performance of the software and the amount of resources used refers to efficiency.

A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized? Select an answer: A. The system will not process the change until the clerk's manager confirms the change by entering an approval code. B. The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk's manager. C. The system requires the clerk to enter an approval code. D. The system displays a warning message to the clerk.

You are correct, the answer is A. A. Requiring an approval code by a manager would prevent or detect the use of an unauthorized interest rate. B. A weekly report would inform the manager after the fact that a change was made, thereby making it possible for transactions to use an unauthorized rate prior to management review. C. Having a clerk enter an approval code would not provide separation of duties and would not prevent the clerk from entering an unauthorized rate change. D. A warning message would alert the clerk in case the change was being made in error, but would not prevent the clerk from entering an unauthorized rate change.

An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: Select an answer: A. a backup server be available to run ETCS operations with up-to-date data. B. a backup server be loaded with all relevant software and data. C. the systems staff of the organization be trained to handle any event. D. source code of the ETCS application be placed in escrow.

You are correct, the answer is D. A. Having a backup server with current data is critical but not as critical as ensuring the availability of the source code. B. Having a backup server with relevant software is critical but not as critical as ensuring the availability of the source code. C. Having staff training is critical but not as critical as ensuring the availability of the source code. D. Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This will ensure that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business.

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Select an answer: A. Bottom-up testing B. Sociability testing C. Top-down testing D. System testing

You answered A. The correct answer is C. A. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. B. Sociability testing takes place at a later stage in the development process. C. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. D. System tests take place at a later stage in the development process.

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: Select an answer: A. facilitates user involvement. B. allows early testing of technical features. C. facilitates conversion to the new system. D. shortens the development time frame.

You answered A. The correct answer is D. A. Rapid application development (RAD) emphasizes greater user involvement to ensure that the system meets user requirements; however, its primary objective is to speed up development. B. RAD does allow early testing, but this is also true for the traditional system development life cycle (SDLC) models. C. RAD does not facilitate conversion to a new system. D. The greatest advantage and core objective of RAD is a shorter time frame for the development of a system.

The GREATEST benefit of implementing an expert system is the: Select an answer: A. capturing of the knowledge and experience of individuals in an organization. B. protection of proprietary knowledge in a secure central repository. C. enhancement of personnel productivity and performance. D. reduction of employee turnover in key departments.

You answered C. The correct answer is A. A. The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. This will allow other users to access information formerly held only by experts. B. The purpose of an expert system is facilitating access to expert knowledge, not the protection of it. C. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience. D. Employee turnover is not necessarily affected by an expert system.

Which of the following is an advantage of prototyping? Select an answer: A. The finished system normally has strong internal controls. B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with prototype systems. D. It ensures that functions or extras are not added to the intended system.

You answered C. The correct answer is B. A. Prototyping often has poor internal controls because the focus is primarily on functionality, not on security. B. Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production. C. Change control becomes much more complicated with prototyping. D. Prototyping often leads to functions or extras being added to the system that were not originally intended.

Which of the following data validation edits is effective in detecting transposition and transcription errors? Select an answer: A. Range check B. Check digit C. Validity check D. Duplicate check

You answered D. The correct answer is B. A. A range check is checking data that matches a predetermined range of allowable values. B. A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered (e.g., an incorrect, but valid, value substituted for the original). This control is effective in detecting transposition and transcription errors. C. A validity check is programmed checking of the data validity in accordance with predetermined criteria. D. In a duplicate check, new or fresh transactions are matched to those previously entered to ensure that they are not already in the system.

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? Select an answer: A. Transaction logs B. Before and after image reporting C. Table lookups D. Tracing and tagging

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? Select an answer: A. Transaction logs B. Before and after image reporting Correct C. Table lookups D. Tracing and tagging

A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? Select an answer: A. Confidentiality of the information stored in the database B. The hardware being used to run the database application C. Backups of the information in the overseas database D. Remote access to the backup database

You answered A. The correct answer is B. A. Confidentiality of the information stored in the database is not a major concern, because the information is intended for public use. B. The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. C. Backups of the information in the overseas database are not a major concern, because the overseas database is a mirror of the local database; thus, a backup copy exists locally. D. Remote access to the backup database does not impact availability.

Which of the following will BEST ensure the successful offshore development of business applications? Select an answer: A. Stringent contract management practices B. Detailed and correctly applied specifications C. Awareness of cultural and political differences D. Postimplementation reviews

You answered A. The correct answer is B. A. Contract management practices, although important, will not ensure successful development if the specifications are incorrect. B. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected. C. Cultural and political differences, although important, should not affect the delivery of a good product. D. Postimplementation reviews, although important, are too late in the process to ensure successful project delivery and are not as pivotal to the success of the project.

An IS auditor has been asked to review the implementation of a customer relationship management (CRM) system for a large organization. The IS auditor discovered the project incurred significant over-budget expenses and scope creep caused the project to miss key dates. Which of the following should the IS auditor recommend for future projects? Select an answer: A. Project management training B. A software baseline C. A balanced scorecard (BSC) D. Automated requirements software

You answered A. The correct answer is B. A. While project management training is a good practice, it does not necessarily prevent scope creep without the use of a software baseline and a robust requirements change process. B. Use of a software baseline provides a cutoff point for the design of the system and allows the project to proceed as scheduled without being delayed by scope creep. C. A balanced scorecard (BSC) is a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives. It does not prevent scope creep. D. Use of automated requirements software does not decrease the risk of scope creep.

When implementing an application software package, which of the following presents the GREATEST risk? Select an answer: A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. Incorrectly set parameters D. Programming errors

You answered A. The correct answer is C. A. Having multiple versions is a problem, but as long as the correct version is implemented, the most serious risk during implementation is to have the parameters for the program set incorrectly. B. Lack of synchronization between source and object code will be a serious risk for later maintenance of compiled programs, but this will not affect other types of programs and is not the most serious risk at the time of implementation. C. Parameters that are not set correctly would be the greatest concern when implementing an application software package. Incorrectly set parameters are an immediate problem that could lead to system breach, failure or noncompliance. D. Programming errors should be found during testing, not at the time of implementation.

An IS auditor reviewing a proposed application software acquisition should ensure that the: Select an answer: A. operating system (OS) being used is compatible with the existing hardware platform. B. planned OS updates have been scheduled to minimize negative impacts on company needs. C. OS has the latest versions and updates. D. product is compatible with the current or planned OS.

You answered A. The correct answer is D. A. If the operating system (OS) is currently being used, it is compatible with the existing hardware platform; if it were incompatible, it would not operate properly. B. The planned OS updates should be scheduled to minimize negative impacts on the organization, but this is not an issue when considering the acquisition of new software. C. The installed OS should be equipped with the most recent versions and updates (with sufficient history and stability). Because this is installed, it is not a consideration at the time of considering acquisition of a new application. D. In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the current or planned OS.

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? Select an answer: A. Applications may not be subject to testing and IT general controls. B. Development and maintenance costs may be increased. C. Application development time may be increased. D. Decision-making may be impaired due to diminished responsiveness to requests for information.

You answered B. The correct answer is A. A. End-user computing (EUC) is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. B. EUC systems typically result in reduced application development and maintenance costs. C. EUC systems typically result in a reduced development cycle time. D. EUC systems normally increase flexibility and responsiveness to management's information requests because the system is being developed directly by the user community.

The phases and deliverables of a system development life cycle (SDLC) project should be determined: Select an answer: A. during the initial planning stages of the project. B. after early planning has been completed but before work has begun. C. throughout the work stages, based on risk and exposures. D. only after all risk and exposures have been identified and the IS auditor has recommended appropriate controls.

You answered B. The correct answer is A. A. It is extremely important that the project be planned properly, and that the specific phases and deliverables are identified during the early stages of the project. This enables project tracking and resource management. B. Determining the deliverables and time lines of a project are a part of the early project planning work. C. The requirements may change over the life of a project, but the initial deliverables should be documented from the beginning of the project. D. Risk management is a never-ending process, so project planning cannot wait until all risk has been identified.

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: Select an answer: A. increases in quality can be achieved, even if resource allocation is decreased. B. increases in quality are only achieved if resource allocation is increased. C. decreases in delivery time can be achieved, even if resource allocation is decreased. D. decreases in delivery time can only be achieved if quality is decreased.

You answered B. The correct answer is A. A. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant. B. Increases in quality can be achieved if resource allocation is increased or through increases in delivery time, not only through increases in resource allocation. C. A decrease in both delivery time and resource allocation would mean that quality would have to decrease. D. A decrease in delivery time may also be addressed through an increase in resource allocation, even if the quality remains constant.

A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern? Select an answer: A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements.

You answered C. The correct answer is B. A. Acceptance is normally managed by the user area because users must be satisfied that the new system will meet their requirements. B. A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. C. If the system is large, a phased-in approach to implementing the application is a reasonable approach. D. Prototyping is a valid method of ensuring that the system will meet business requirements.

An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate? Select an answer: A. Senior IS and business management must approve use before production data can be utilized for testing. B. Production data can be used if they are copied to a secure test environment. C. Production data can never be used. All test data must be developed and based on documented test cases. D. Production data can be used provided that confidentiality agreements are in place.

You answered B. The correct answer is A. A. There is risk associated with the use of production data for testing. This includes compromising customer or employee confidentiality (which may also involve breaching legislation) and corrupting production of the data. Additionally, there are certain cases in which effective testing requires specifically designed data. There are other cases in which using production data would provide insights that are difficult or impossible to get from manufactured test data. One example is testing of interfaces to legacy systems. Management information systems are a further example where access to "real" data is likely to enhance testing. Some flexibility on the use of production data is likely to be the best option. In addition to obtaining senior management approval, conditions that mitigate the risk associated with using production data can be agreed on, such as masking names and other identifying fields to protect privacy. B. Copying production data to a secure environment is a good practice, but this should only be done with the approval of management. Management must accept the risk of using production data for testing. C. Creating a complete set of test data would be an ideal situation but is not always possible due to the volume of test data that would be required. D. Production data could only be used with management's permission. Then it can be appropriate to require the use of confidentiality agreements.

While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: Select an answer: A. effectiveness of the QA function because it should interact between project management and user management. B. efficiency of the QA function because it should interact with the project implementation team. C. effectiveness of the project manager because the project manager should interact with the QA function. D. efficiency of the project manager because the QA function will need to communicate with the project implementation team.

You answered B. The correct answer is A. A. To be effective, the quality assurance (QA) function should be independent of project management. If not, project management may put pressure on the QA function to approve an inadequate product. B. The efficiency of the QA function would not be impacted by interacting with the project implementation team. The QA team would not release a product for implementation until it had met QA requirements. C. The project manager will respond to the issues raised by the QA team. This will not impact the effectiveness of the project manager. D. The QA function's interaction with the project implementation team should not impact the efficiency of the project manager.

Which of the following has the MOST significant impact on the success of an application systems implementation? Select an answer: A. The prototyping application development methodology B. Compliance with applicable external requirements C. The overall organizational environment D. The software reengineering technique

You answered B. The correct answer is C. A. The prototyping application development technique reduces the time to deploy systems primarily by using faster development tools that allow a user to see a high-level view of the workings of the proposed system within a short period of time. The use of any one development methodology will have a limited impact on the success of the project. B. Compliance with applicable external requirements has an impact on the implementation success, but the impact is not as significant as the impact of the overall organizational environments. C. The overall organizational environment has the most significant impact on the success of applications systems implemented. This includes the alignment between IT and the business, the maturity of the development processes and the use of change control and other project management tools. D. The software reengineering technique is a process of updating an existing system by extracting and reusing design and program components. This is used to support major changes in the way an organization operates. Its impact on the success of the application systems that are implemented is small compared with the impact of the overall organizational environment.

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should: Select an answer: A. conclude that the project is progressing as planned because dates are being met. B. question the project manager further to identify whether overtime costs are being tracked accurately. C. conclude that the programmers are intentionally working slowly to earn extra overtime pay. D. investigate further to determine whether the project plan may not be accurate.

You answered B. The correct answer is D. A. Even though the project is on time and budget, there may be problems with the project plan because considerable amounts of unplanned overtime have been required. B. There is a possibility that the project manager has hidden some costs to make the project look better; however, the real problem may be with whether the project plan is realistic, not just the accounting. C. It is possible that the programmers are trying to take advantage of the time system, but if the overtime has been required to keep the project on track it is more likely that the time lines and expectations of the project are unrealistic. D. While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a good practice. While overtime costs may be an indicator that something is wrong with the plan, in many organizations the programming staff may be salaried, so overtime costs may not be directly recorded.

An IS auditor who is auditing the software acquisition process will ensure that the: Select an answer: A. contract is reviewed and approved by the legal counsel before it is signed. B. requirements cannot be met with the systems already in place. C. requirements are found to be critical for the business. D. user participation is adequate in the process.

You answered C. The correct answer is A. A. The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before management signs the contract. B. Existing systems may meet the requirements, but management may choose to acquire software for other reasons. C. Not all of the requirements in the contract need to support critical business needs; some requirements may be there for ease-of-use or other purposes. D. User participation is not necessarily required in the software acquisition process. Instead, users would most likely participate in requirements definition and user acceptance testing (UAT).

Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities? Select an answer: A. The programming language B. The development environment C. A version control system D. Program coding standards

You answered C. The correct answer is D. A. The programming language may be a concern if it is not a commonly used language; however, program coding standards are more important. B. The development environment may be relevant to evaluate the efficiency of the program development process but not future maintenance of the program. C. A version control system helps manage software code revisions; however, it does not ensure that coding standards are consistently applied. D. Program coding standards are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code, simply and clearly, without having to refer back to design specifications.

When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? Select an answer: A. Using a cryptographic hashing algorithm B. Enciphering the message digest C. Calculating a checksum of the transaction D. Using a sequence number and time stamp

You answered C. The correct answer is D. A. Use of a cryptographic hashing algorithm against the entire message helps achieve data integrity but will not prevent duplicate processing. B. Enciphering the message digest using the sender's private key, which signs the sender's digital signature to the document, helps in authenticating the source and integrity of the transaction but will not prevent duplicate processing. C. A checksum can be used for data integrity but not to prevent duplicate transactions. D. When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated.

Which of the following is the most important element in the design of a data warehouse? Select an answer: A. Quality of the metadata B. Speed of the transactions C. Volatility of the data D. Vulnerability of the system

You answered D. The correct answer is A. A. Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Companies that have built warehouses believe that metadata are the most important component of the warehouse. B. A data warehouse is used for analysis and research, not for production operations, so the speed of transactions is not relevant. C. Data in a data warehouse is frequently received from many sources and vast amounts of information may be received on an hourly or daily basis. Except to ensure adequate storage capability, this is not a primary concern of the designer. D. Data warehouses may contain sensitive information, or can be used to research sensitive information, so the security of the data warehouse is important. However, this is not the primary concern of the designer.

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? Select an answer: A. Intrusion detection systems (IDSs) B. Data mining techniques C. Firewalls D. Packet filtering routers

You answered D. The correct answer is B. A. An intrusion detection system (IDS) is effective in detecting network or host-based errors but not effective in measuring fraudulent transactions. B. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card. C. A firewall is an excellent tool for protecting networks and systems but not effective in detecting fraudulent transactions. D. A packet filtering router operates at a network level and cannot see a transaction.

When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those: Select an answer: A. whose sum of activity time is the shortest. B. that have zero slack time. C. that give the longest possible completion time. D. whose sum of slack time is the shortest.

You answered D. The correct answer is B. A. Attention should focus on the tasks within the critical path that have no slack time. B. A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing (i.e., for reduction in their time by payment of a premium for early completion). Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs versus time can be obtained. C. The critical path is the longest time length of the activities, but is not based on the longest time of any individual activity. D. A task on the critical path has no slack time.

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process? Select an answer: A. The encryption algorithm format B. The detailed internal control procedures C. The necessary communication protocols D. The proposed trusted third-party agreement

You answered D. The correct answer is C. A. Encryption algorithms are too detailed for this phase. They would only be outlined and any cost or performance implications shown. B. Internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. C. The communications protocols must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization. D. Third-party agreements are too detailed for this phase. They would only be outlined and any cost or performance implications shown.

Which of the following types of risk could result from inadequate software baselining? Select an answer: A. Sign-off delays B. Software integrity violations C. Scope creep D. Inadequate controls

You answered D. The correct answer is C. A. Sign-off delays may occur due to inadequate software baselining; however, these are most likely caused by scope creep. B. Software integrity violations can be caused by hardware or software failures, malicious intrusions or user errors. Software baselining does not help prevent software integrity violations. C. A software baseline is the cutoff point in the design and development of a system. Beyond this point, additional requirements or modifications to the scope must go through formal, strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage a system through baselining can result in uncontrolled changes in a project's scope and may incur time and budget overruns. D. Inadequate controls are most likely present in situations in which information security is not duly considered from the beginning of system development; they are not a risk that can be adequately addressed by software baselining.

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? Select an answer: A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget

You answered D. The correct answer is C. A. The IS auditor cannot count on the accuracy of data in status reports for reasonable assurance. B. Interviews are a valuable source of information, but will not necessarily identify any project challenges because the people being interviewed are involved in project. C. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule). D. The calculation based on remaining budget does not take into account the speed at which the project has been progressing.

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: Select an answer: A. the project manager. B. systems development management. C. business unit management. D. the quality assurance (QA) team.

You answered D. The correct answer is C. A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. The project manager cannot sign off on project requirements; that would be a violation of separation of duties. B. Systems development management provides technical support for hardware and software environments. C. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. D. The quality assurance (QA) team ensures the quality of the project by measuring adherence to the organization's system development life cycle (SDLC). They will conduct testing but not sign off on the project requirements.

The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: Select an answer: A. integrity. B. authenticity. C. authorization. D. nonrepudiation.

You are correct, the answer is A. A. A checksum calculated on an amount field and included in the electronic data interchange (EDI) communication can be used to identify unauthorized modifications. B. Authenticity cannot be established by a checksum alone and needs other controls. C. Authorization cannot be established by a checksum alone and needs other controls. D. Nonrepudiation can be ensured by using digital signatures.

A project development team is considering using production data for its test deck. The team removed sensitive data elements from the bed before loading it into the test environment. Which of the following additional concerns should an IS auditor have with this practice? Select an answer: A. Not all functionality will be tested. B. Production data are introduced into the test environment. C. Specialized training is required. D. The project may run over budget.

You are correct, the answer is A. A. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement. B. The presence of production data in a test environment is not a concern if the sensitive elements have been scrubbed. C. Creation of a test deck from production data does not require specialized knowledge, so this is not a concern. D. The risk of a project running over budget is always a concern, but it is not related to the practice of using production data in a test environment.

Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse? Select an answer: A. Accuracy of the source data B. Credibility of the data source C. Accuracy of the extraction process D. Accuracy of the data transformation

You are correct, the answer is A. A. Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Inaccurate source data will corrupt the integrity of the data in the data warehouse. B. Credibility of the data source is important but would not change inaccurate data into quality (accurate) data. C. Accurate extraction processes are important but would not change inaccurate data into quality (accurate) data. D. Accurate transformation routines are important but would not change inaccurate data into quality (accurate) data.

Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed? Select an answer: A. The time and cost implications caused by the change B. The risk that regression tests will fail C. Users not agreeing with the change D. The project team not having the skills to make the necessary change

You are correct, the answer is A. A. Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted and the client is informed of the potential impact on the schedule and cost. B. A change in scope does not necessarily impact the risk that regression tests will fail. C. An impact study will not determine whether users will agree with a change in scope. D. Conducting an impact study could identify a lack of resources such as the project team lacking the skills necessary to make the change; however, this is only part of the impact on the overall time lines and cost to the project due to the change.

An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue? Select an answer: A. Project scope management B. Project time management C. Project risk management D. Project procurement management

You are correct, the answer is A. A. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project. B. Project time management is defined as the processes required to ensure timely completion of the project. The issue noted in the question does not mention whether projects were completed on time, so this is not the most likely cause. C. Project risk management is defined as the processes concerned with identifying, analyzing and responding to project risk. Although the budget overruns mentioned above represent one form of project risk, they appear to be caused by implementing too much functionality, which relates more directly to project scope. D. Project procurement management is defined as the processes required to acquire goods and services from outside the performing organization. Although purchasing goods and services that are too expensive can cause budget overruns, in this case the key to the question is that implemented functionality is greater than what was required, which is more likely related to project scope.

Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment? Select an answer: A. Lack of transaction authorizations B. Loss or duplication of EDI transmissions C. Transmission delay D. Deletion or manipulation of transactions prior to or after establishment of application controls

You are correct, the answer is A. A. Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. B. Loss or duplication of electronic data interchange (EDI) transmissions is an example of risk, but because all transactions should be logged, the impact is not as great as that of unauthorized transactions. C. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data. D. Deletion or manipulation of transactions prior to or after establishment of application controls is an example of risk, logging will detect any alteration to the data and the impact is not as great as that of unauthorized transactions.

A project manager for a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine: Select an answer: A. what amount of progress against schedule has been achieved. B. if the project budget can be reduced. C. if the project could be brought in ahead of schedule. D. if the budget savings can be applied to increase the project scope.

You are correct, the answer is A. A. Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project. B. To properly assess the project budget position it is necessary to know how much progress has actually been made and, given this, what level of expenditure would be expected. It is possible that project expenditure appears to be low because actual progress has been slow. Until the analysis of project against schedule has been completed, it is impossible to know whether there is any reason to reduce budget. If the project has slipped behind schedule, then not only may there be no spare budget but it is possible that extra expenditure may be needed to retrieve the slippage. The low expenditure could actually be representative of a situation where the project is likely to miss deadlines rather than potentially come in ahead of time. C. If the project is found to be ahead of budget after adjusting for actual progress, this is not necessarily a good outcome because it points to flaws in the original budgeting process; and, as said previously, until further analysis is undertaken, it cannot be determined whether any spare funds actually exist. D. If the project is behind schedule, adding scope may be the wrong thing to do.

A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision? Select an answer: A. Technical skills and knowledge within the organization related to sourcing and software development B. Privacy requirements as applied to the data processed by the application C. Whether the legacy system being replaced was developed in-house D. The users not devoting reasonable time to define the functionalities of the solution

You are correct, the answer is A. A. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. B. Privacy regulations would apply to both solutions. C. While individuals with knowledge of the legacy system are helpful, they may not have the technical skills to build a new system. Therefore, this is not the primary factor influencing the make versus buy decision. D. Unclear business requirements (functionalities) will similarly affect either development process, but are not the primary factor influencing the make versus buy decision.

While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. The IS auditor should report that the project: Select an answer: A. is behind schedule. B. is ahead of schedule. C. is on schedule. D. cannot be evaluated until the activity is completed.

You are correct, the answer is A. A. Earned value analysis (EVA) is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed. B. The project is not ahead of schedule because the work remaining exceeds the time allotted. C. The project is not on schedule because only 16 hours remain to do 20 hours work. D. The amount of work left has been evaluated at 20 hours and the time left on the project is 16 hours, so the auditor can evaluate the current status of the project.

Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds? Select an answer: A. Generalized audit software (GAS) B. Integrated test facility C. Regression tests D. Snapshots

You are correct, the answer is A. A. Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts of data. B. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions. C. Regression tests are used to test new versions of software to ensure that previous changes and functionality are not inadvertently overwritten or disabled by the new changes. D. Snapshot takes pictures of information it observes in the execution of program logic.

During a system development life cycle (SDLC) audit of a human resources (HR) and payroll application, the IS auditor notes that the data used for user acceptance testing (UAT) have been masked. The purpose of masking the data is to ensure the: Select an answer: A. confidentiality of the data. B. accuracy of the data. C. completeness of the data. D. reliability of the data.

You are correct, the answer is A. A. Masking is used to ensure the confidentiality of data, especially in a user acceptance testing (UAT) exercise in which the testers have access to data that they would not have access to in normal production environments. B. Masking does not ensure accuracy of the data. If the underlying data are inaccurate, the masked data also would be inaccurate. C. Masking does not ensure completeness of the data. If the underlying data are incomplete, the masked data also would be incomplete. D. Masking does not ensure reliability of the data. If the underlying data are unreliable, the masked data also would be unreliable.

The use of object-oriented design and development techniques would MOST likely: Select an answer: A. facilitate the ability to reuse modules. B. improve system performance. C. enhance control effectiveness. D. speed up the system development life cycle (SDLC).

You are correct, the answer is A. A. One of the major benefits of object-oriented design and development is the ability to reuse modules. B. Object-oriented design is not intended as a method of improving system performance. C. Control effectiveness is not an objective of object-oriented design and control effectiveness may, in fact, be reduced through this approach. D. The use of object-oriented design may speed up the system development life cycle (SDLC) for future projects through the reuse of modules, but it will not speed up development of the initial project.

An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? Select an answer: A. Achieve standards alignment through an increase of resources devoted to the project. B. Align the data definition standards after completion of the project. C. Delay the project until compliance with standards can be achieved. D. Enforce standard compliance by adopting punitive measures against violators.

You are correct, the answer is A. A. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. B. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion is risky and is not a viable solution. C. Delaying the project would be an inappropriate suggestion because of business requirements or the likely damage to entire project profitability. D. Punishing the violators would be outside the authority of the auditor and inappropriate until the reason for the violations have be determined.

A rapid application development (RAD) methodology has been selected to implement a new enterprise resource planning (ERP) system. All of the project activities have been assigned to the contracted consulting company because internal employees are not available. What is the IS auditor's FIRST step to compensate for the lack of resources? Select an answer: A. Review the project plan and approach. B. Ask the vendor to provide additional external staff. C. Recommend that the company hire more people. D. Stop the project until all human resources (HR) are available.

You are correct, the answer is A. A. Rapid methodologies require available resources with good expertise and a fast decision-making process because the plan duration is usually short. Reviewing the project plan and approach is the best recommendation to make the appropriate changes to compensate for the missing end users. B. Adding external people to the project will not resolve the problem because they will not be able to decide on behalf of the internal employees who are usually end users from the business side. C. Hiring new people will take time and does not guarantee the readiness of new hires to make appropriate decisions in this project. D. Stopping the project could be a good option, but reviewing the project and considering all of the aspects should be done first.

An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the test phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? Select an answer: A. Test and release a pilot with reduced functionality. B. Fix and retest the highest-severity functional defects. C. Eliminate planned testing by the development team, and proceed straight to acceptance testing. D. Implement a test tool to automate defect tracking.

You are correct, the answer is A. A. Testing and releasing a pilot with reduced functionality reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to flow. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in a full release. B. When testing starts, a significant amount of defects is likely to exist. Focusing only on the highest-severity functional defects runs the risk that other important aspects such as usability problems and nonfunctional requirements of performance and security will be ignored. The system may go live, but users may struggle to use the system as intended to realize business benefits. C. Eliminating testing by development is usually a bad idea. Before system acceptance testing begins, some prior testing should occur to establish that the system is ready to proceed to acceptance evaluation. If prior testing by the development team does not occur, there is a considerable risk that the software will have a significant amount of low-level defects, such as transactions that cause the system to hang and unintelligible error messages. This can prove frustrating for users or testers tasked with acceptance testing and, ultimately, could cause the overall test time to increase rather than decrease. D. The use of a defect tracking tool could help in improving test efficiency, but it does not address the fundamental risk caused by reducing the testing effort on a system in which quality is uncertain. Given the build problems experienced, there is reason to suspect that quality problems could exist.

Which of the following is an advantage of the top-down approach to software testing? Select an answer: A. Interface errors are identified early. B. Testing can be started before all programs are complete. C. It is more effective than other testing approaches. D. Errors in critical modules are detected sooner.

You are correct, the answer is A. A. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. B. That testing can be started before all programs are complete is an advantage of the bottom-up approach to system testing. C. The most effective testing approach is dependent on the environment being tested. D. Detecting errors in critical modules sooner is an advantage of the bottom-up approach to system testing.

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process? Select an answer: A. Whether key controls are in place to protect assets and information resources B. Whether the system addresses corporate customer requirements C. Whether the system can meet the performance goals (time and resources) D. Whether the new system will support separation of duties

You are correct, the answer is A. A. The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. B. The system must meet the requirements of all customers not just corporate customers. This is not the IS auditor's main concern. C. The system must meet performance requirements, but this is of secondary concern to the need to ensure that key controls are in place. D. Separation of duties is a key control—but only one of the controls that should be in place to protect the assets of the organization.

A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: Select an answer: A. payroll reports should be compared to input forms. B. gross payroll should be recalculated manually. C. checks (cheques) should be compared to input forms. D. checks (cheques) should be reconciled with output reports.

You are correct, the answer is A. A. The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. B. Recalculating gross payroll manually would only verify whether the processing is correct and not the data accuracy of inputs. C. Comparing checks (cheques) to input forms is not feasible because checks (cheques) have the processed information and input forms have the input data. D. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports.

An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to: Select an answer: A. stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans. B. accept the project manager's position because the project manager is accountable for the outcome of the project. C. offer to work with the risk manager when one is appointed. D. inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project.

You are correct, the answer is A. A. The majority of project risk can be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy, enterprise risk management, and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk. B. The project manager cannot accept responsibility for risk acceptance. The risk must be addressed continuously—starting as early in the process as possible. C. Appointing a risk manager is a good practice but waiting until the project has been impacted by risk is misguided. Risk management needs to be forward looking; allowing risk to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risk has emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implement risk management. D. IS auditors cannot provide risk review without impairing their independence.

Before implementing controls in a newly developed system, management should PRIMARILY ensure that the controls: Select an answer: A. satisfy a requirement in addressing a risk. B. do not reduce productivity. C. are based on a minimized cost analysis. D. are detective or corrective.

You are correct, the answer is A. A. The purpose of a control is to mitigate a risk; therefore, the primary consideration when selecting a control is that it effectively mitigates an identified risk. When designing controls, it is necessary to consider all of the aspects in choices A through D. In an ideal situation, controls that address all of these aspects would be the best controls. Realistically, it may not be possible to design them all and the cost may be prohibitive; therefore, it is necessary to consider the controls related primarily to the treatment of existing risk in the organization. B. Controls will often affect productivity and performance; however, this must be balanced against the benefit obtained from the implementation of the control. C. The most important reason for a control is to mitigate a risk—and the selection of a control is usually based on a cost-benefit analysis, not on selecting just the least expensive control. D. A good control environment will include preventive, detective and corrective controls.

An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor's MAIN concern should be that the: Select an answer: A. complexity and risk associated with the project have been analyzed. B. resources needed throughout the project have been determined. C. technical deliverables have been identified. D. a contract for external parties involved in the project has been completed.

You are correct, the answer is A. A. Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. B. The resources needed will be dependent on the complexity of the project. C. It is too early to identify the technical deliverables. D. Not all projects will require contracts with external parties.

A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately and the corresponding products are produced? Select an answer: A. Verifying production to customer orders B. Logging all customer orders in the ERP system C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production

You are correct, the answer is A. A. Verification will ensure that produced products match the orders in the customer order system. B. Logging can be used to detect inaccuracies but does not, in itself, guarantee accurate processing. C. Hash totals will ensure accurate order transmission, but not accurate processing centrally. D. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.

Information for detecting unauthorized input from a user workstation would be BEST provided by the: Select an answer: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report.

You are correct, the answer is B. A. A console log printout is not the best because it would not record activity from a specific terminal. B. The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. C. An automated suspense file listing would list only transaction activity where an edit error occurred. D. The user error report would list only input that resulted in an edit error and would not record improper user input.

Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? Select an answer: A. Increase the time allocated for system testing. B. Implement formal software inspections. C. Increase the development staff. D. Require the sign-off of all project deliverables.

You are correct, the answer is B. A. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring, and the cost of the extra testing and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. B. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved. C. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. D. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce and may occur too late in the process to be cost-effective. Deliverable reviews normally do not go down to the same level of detail as software inspections.

When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: Select an answer: A. not be concerned because there may be other compensating controls to mitigate the risk. B. ensure that overrides are automatically logged and subject to review. C. verify whether all such overrides are referred to senior management for approval. D. recommend that overrides not be permitted.

You are correct, the answer is B. A. An IS auditor should not assume that compensating controls exist. B. If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. C. The log may be reviewed by another manager but does not require senior management approval. D. As long as the overrides are policy-compliant, there is no need for senior management approval or a blanket prohibition.

When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the: Select an answer: A. project be discontinued. B. business case be updated and possible corrective actions be identified. C. project be returned to the project sponsor for reapproval. D. project be completed and the business case be updated later.

You are correct, the answer is B. A. An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. B. The IS auditor should recommend that the business case be kept current throughout the project because it is a key input to decisions made throughout the life of any project. C. The project cannot be returned to the sponsor until the business case has been updated. D. An IS auditor should not recommend completing the project before reviewing an updated business case and ensuring approval from the project sponsor.

At the completion of a system development project, a post-project review should include which of the following? Select an answer: A. Assessing risk that may lead to downtime after the production release B. Identifying lessons learned that may be applicable to future projects C. Verifying that the controls in the delivered system are working D. Ensuring that test data are deleted

You are correct, the answer is B. A. An assessment of potential downtime should be made with the operations group and other specialists before implementing a system. B. A project team has something to learn from each and every project. As risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects. C. Verifying that controls are working should be covered during the acceptance test phase and possibly, again in the postimplementation review. The post-project review will focus on project-related issues. D. Test data should be retained for future regression testing.

The MAIN purpose of a transaction audit trail is to: Select an answer: A. reduce the use of storage media. B. determine accountability and responsibility for processed transactions. C. help an IS auditor trace transactions. D. provide useful information for capacity planning.

You are correct, the answer is B. A. Enabling audit trails increases the use of disk space. B. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. C. A transaction log file would be used to trace transactions, but the primary purpose of an audit trail is to support accountability, not to support the work of the IS auditor. D. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as central processing unit (CPU) utilization, bandwidth and the number of users.

Which of the following types of risk is MOST likely encountered in a software as a service (SaaS) environment? Select an answer: A. Noncompliance with software license agreements B. Performance issues due to Internet delivery method C. Higher cost due to software licensing requirements D. Higher cost due to the need to update to compatible hardware

You are correct, the answer is B. A. Software as a service (SaaS) is provisioned on a usage basis and the number of users is monitored by the SaaS provider; therefore, there should be no risk of noncompliance with software license agreements. B. The risk that could be most likely encountered in a SaaS environment is speed and availability issues, due to the fact that SaaS relies on the Internet for connectivity. C. The costs for a SaaS solution should be fixed as a part of the services contract and considered in the business case presented to management for approval of the solution. D. The open design and Internet connectivity allow most SaaS to run on virtually any type of hardware.

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? Select an answer: A. Function point analysis (FPA) B. Earned value analysis (EVA) C. Cost budget D. Program evaluation and review technique (PERT)

You are correct, the answer is B. A. Function point analysis (FPA) is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. B. Earned value analysis (EVA) is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. C. Cost budgets do not address time. D. Program evaluation and review technique (PERT) aids time and deliverables management, but lacks projections for estimates at completion (EACs) and overall financial management.

An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? Select an answer: A. Log all table update transactions. B. Implement integrity constraints in the database. C. Implement before and after image reporting. D. Use tracing and tagging.

You are correct, the answer is B. A. Logging all table update transactions provides audit trails and is a detective control but will not prevent the introduction of inaccurate data. B. Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, which prevents any undefined data from being entered. C. Before and after image reporting makes it possible to trace the impact that transactions have on computer records and is a detective control. D. Tracing and tagging is used to test application systems and controls but is not a preventive control that can avoid out-of-range data.

What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning (ERP) payroll system that is replacing an existing legacy system? Select an answer: A. Multiple testing B. Parallel testing C. Integration testing D. Prototype testing

You are correct, the answer is B. A. Multiple testing will not compare results from the old and new systems. B. Parallel testing is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommission of the legacy system. Parallel testing also results in better user adoption of the new system. C. Integration testing refers to how the system interacts with other systems, and it is not performed by end users. D. Prototype testing is used during design and development to ensure that user input is received; however, this method is not used for acquired systems or during user acceptance testing.

While evaluating the "out of scope" section specified in a project plan, an IS auditor should ascertain whether the section: Select an answer: A. effectively describes unofficial project objectives. B. effectively describes project boundaries. C. clearly states the project's "nice to have" objectives. D. provides the necessary flexibility to the project team.

You are correct, the answer is B. A. Out-of-scope items are not part of the project. There should be no unofficial project objectives. Reasonable objectives should be considered by the project leadership and either accepted (in scope) or rejected (out of scope). B. The purpose of the out of scope section is to make clear to readers what items are not considered project objectives so that all project stakeholders understand the project boundaries and what is in scope versus out of scope. This applies to all types of projects, including individual audits. C. Out-of-scope items are not part of the project, while nice to have items may be included in the project objectives. However, they may be the last priority on the list of all project objectives. D. Out-of-scope items are not part of the project; the project team's flexibility regarding project objectives should be managed through a robust change request process. This is particularly important to avoid scope creep.

An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that: Select an answer: A. users may prefer to use contrived data for testing. B. unauthorized access to sensitive data may result. C. error handling and credibility checks may not be fully proven. D. the full functionality of the new process may not necessarily be tested.

You are correct, the answer is B. A. Production data are easier for users to use for comparison purposes. B. Unless the data are sanitized, there is a risk of disclosing sensitive data. C. There is a risk that former production data may not test all error routines; however, this is not as serious as the risk of release of sensitive data. D. Using a copy of production data may not test all functionality, but this is not as serious as the risk of disclosure of sensitive data.

An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort? Select an answer: A. Program evaluation review technique (PERT) B. Function point analysis (FPA) C. Counting source lines of code D. White box testing

You are correct, the answer is B. A. Program evaluation review technique (PERT) is a project management technique used in the planning and control of system projects. B. Function point analysis (FPA) is a technique used to determine the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal sites. C. The number of source lines of code gives a direct measure of program size, but it does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. D. White box testing involves a detailed review of the behavior of program code. It is a quality assurance technique suited to simpler applications during the design and building stage of development.

A failure discovered in which of the following testing stages would have the GREATEST impact on the implementation of new application software? Select an answer: A. System testing B. Acceptance testing C. Integration testing D. Unit testing

You are correct, the answer is B. A. System testing is undertaken by the development team to determine if the combined units of software work together and that the software meets user requirements per specifications. A failure here would be expensive but easier to fix than a failure found later in the testing process. B. Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level because this could result in delays and cost overruns. C. Integration testing examines the units/modules as one integrated system and unit testing examines the individual units or components of the software. A failure here would be expensive and require re-work of the modules, but would not be as expensive as a problem found just prior to implementation. D. System, integration and unit testing are all performed by the developers at various stages of development; the impact of failure is comparatively less for each than failure at the acceptance testing stage.

When a new system is to be implemented within a short time frame, it is MOST important to: Select an answer: A. finish writing user manuals. B. perform user acceptance testing. C. add last-minute enhancements to functionalities. D. ensure that the code has been documented and reviewed.

You are correct, the answer is B. A. The completion of the user manuals is less important than the need to test the system adequately. B. It would be most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly. C. If time is tight, the last thing one would want to do is add another enhancement because it would be necessary to freeze the code and complete the testing, then make any other changes as future enhancements. D. It would be appropriate to have the code documented and reviewed, but unless the acceptance testing is completed, there is no guarantee that the system will work correctly and meet user requirements.

During which of the following phases in system development would user acceptance test plans normally be prepared? Select an answer: A. Feasibility study B. Requirements definition C. Implementation planning D. Postimplementation review

You are correct, the answer is B. A. The feasibility study is too early for such detailed user involvement. B. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An IS auditor should know at what point user testing should be planned to ensure that it is most effective and efficient. C. The implementation planning phase is when the tests are conducted. It is too late in the process to develop the test plan. D. User acceptance testing should be completed prior to implementation.

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: Select an answer: A. check to ensure that the type of transaction is valid for the card type. B. verify the format of the number entered, then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. D. confirm that the card is not shown as lost or stolen on the master file.

You are correct, the answer is B. A. The initial validation would not be used to check the transaction type—just the validity of the card number. B. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed. C. The initial validation is to prove the card number entered is valid—only then can the transaction amount be checked for approval from the bank. D. The verification that the card has not been reported as lost or stolen is only done after the card number has been validated as correctly entered.

The PRIMARY purpose of audit trails is to: Select an answer: A. improve response time for users. B. establish accountability and responsibility for processed transactions. C. improve the operational efficiency of the system. D. provide useful information to auditors who may wish to track transactions.

You are correct, the answer is B. A. The objective of enabling software to provide audit trails is not to improve system efficiency because it often involves additional processing which may, in fact, reduce response time for users. B. Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system. C. Enabling audit trails involves storage and, thus, occupies disk space and may decrease operational efficiency. D. Audit trails are used to track transactions for various purposes, not just for audit. The use of audit trails for IS auditors is valid; however, it is not the primary reason.

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? Select an answer: A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual processing C. Completing the test on schedule D. A random sample of actual data

You are correct, the answer is B. A. The quantity of data for each test case is not as important as having test cases that will address all types of operating conditions. B. Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. C. It is more important to have adequate test data than to complete the testing on schedule. D. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.

An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems? Select an answer: A. Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled. B. Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for. C. Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected. D. System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.

You are correct, the answer is B. A. Totaling transactions on the sales system does not address the transfer of data from the online systems to the accounting system, but rather considers only the sales system. B. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap. C. Checking for duplicates is a valid control; however, it does not address whether the sales transactions processed are complete (ensuring that all transactions are recorded). D. A date/time stamp does not help account for transactions that are missing or incomplete by the accounting and delivery department.

A decision support system (DSS) is used to help high-level management: Select an answer: A. solve highly structured problems. B. combine the use of decision models with predetermined criteria. C. make decisions based on data analysis and interactive models. D. support only structured decision-making tasks.

You are correct, the answer is C. A. A decision support system (DSS) is aimed at solving less structured problems. B. A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions, but is not limited by predetermined criteria. C. A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria. D. A DSS supports semistructured decision-making tasks.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? Select an answer: A. Project sponsor B. System development project team (SDPT) C. Project steering committee D. User project team (UPT)

You are correct, the answer is C. A. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. B. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for overseeing the progress of the project. C. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. D. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project.

Which of the following controls helps prevent duplication of vouchers during data entry? Select an answer: A. A range check B. Transposition and substitution C. A sequence check D. A cyclic redundancy check (CRC)

You are correct, the answer is C. A. A range check works over a range of numbers. Even if the same voucher number reappears, it will satisfy the range and, therefore, not be useful. B. Transposition and substitution are used in encoding but will not help in establishing unique voucher numbers. C. A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. D. A cyclic redundancy check (CRC) is used for completeness of data received over the network but is not useful in application code level validations.

Ideally, stress testing should be carried out in a: Select an answer: A. test environment using test data. B. production environment using live workloads. C. test environment using live workloads. D. production environment using test data.

You are correct, the answer is C. A. A test environment should always be used to avoid damaging the production environment, but only testing with test data may not test all aspects of the system adequately. B. Testing should never take place in a production environment. C. Stress testing is carried out to ensure that a system can cope with production workloads. Testing with production level workloads is important to ensure that the system will operate effectively when moved into production. D. It is not advisable to do stress testing in a production environment. Additionally, if only test data are used, there is no certainty that the system was stress tested adequately.

Which of the following is the GREATEST risk to the effectiveness of application system controls? Select an answer: A. Removal of manual processing steps B. Inadequate procedure manuals C. Collusion between employees D. Unresolved regulatory compliance issues

You are correct, the answer is C. A. Automation should remove manual processing steps wherever possible. The only risk would be the removal of manual security controls without replacement with automated controls. B. The lack of documentation is a problem on many systems but not a serious risk in most cases. C. Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented. D. Unregulated compliance issues are a risk but do not measure the effectiveness of the controls.

Which of the following is the PRIMARY purpose for conducting parallel testing? Select an answer: A. To determine whether the system is cost-effective B. To enable comprehensive unit and system testing C. To highlight errors in the program interfaces with files D. To ensure the new system meets user requirements

You are correct, the answer is D. A. Parallel testing may show that the old system is, in fact, more cost-effective than the new system, but this is not the primary reason for parallel testing. B. Unit and system testing are completed before parallel testing. C. Program interfaces with files are tested for errors during system testing. D. The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements by comparing the results of the old system with the new system to ensure correct processing.

The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during: Select an answer: A. the internal lab testing phase. B. testing and prior to user acceptance. C. the requirements gathering process. D. the implementation phase.

You are correct, the answer is C. A. During testing, the IS auditor will ensure that the security requirements are met. This is not the time to assess the control specifications. B. The control specifications will drive the security requirements that are built into the contract and should be assessed before the product is acquired and tested. C. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues. D. During the implementation phase, the IS auditor may check whether the controls have been enabled; however, this is not the time to assess the control requirements.

An advantage in using a bottom-up vs. a top-down approach to software testing is that: Select an answer: A. interface errors are detected earlier. B. confidence in the system is achieved earlier. C. errors in critical modules are detected earlier. D. major functions and processing are tested earlier.

You are correct, the answer is C. A. Interface errors will not be found until later in the testing process—as a result of integration or system testing. B. Confidence in the system cannot be obtained until the testing is completed. C. The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that errors in critical modules are found earlier. D. Bottom-up testing tests individual components and major functions and processing will not be adequately tested until systems and integration testing is completed.

In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as: Select an answer: A. isolation. B. consistency. C. atomicity. D. durability.

You are correct, the answer is C. A. Isolation ensures that each transaction is isolated from other transactions; hence, each transaction can only access data if it is not being simultaneously accessed or modified by another process. B. Consistency ensures that all integrity conditions in the database be maintained with each transaction. C. The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. D. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures.

During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? Select an answer: A. One-for-one checking B. Data file security C. Transaction logs D. File updating and maintenance authorization

You are correct, the answer is C. A. One-for-one checking is a control procedure in which an individual document agrees with a detailed listing of documents processed by the system. It would take a long time to complete the research using this procedure. B. Data file security controls prevent access by unauthorized users in their attempt to alter data files. This would not help identify the transactions posted to an account. C. Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. It also helps to determine which transactions have been posted to an account—by a particular individual during a particular period. D. File updating and maintenance authorization is a control procedure to update the stored data and ensure accuracy and security of stored data. This does provide evidence regarding the individuals who update the stored data; however, it is not effective in the given situation to determine transactions posted to an account.

A company's development team does not follow generally accepted system development life cycle (SDLC) practices. Which of the following is MOST likely to cause problems for software development projects? Select an answer: A. Functional verification of the prototypes is assigned to end users. B. The project is implemented while minor issues are open from user acceptance testing (UAT). C. Project responsibilities are not formally defined at the beginning of a project. D. Program documentation is inadequate.

You are correct, the answer is C. A. Prototypes are verified by users. B. User acceptance testing (UAT) is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. C. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project. D. Lack of adequate program documentation, while a concern, is not as big a risk as the lack of assigned responsibilities during the initial stages of the project.

Which of the following is MOST relevant to an IS auditor evaluating how the project manager has monitored the progress of the project? Select an answer: A. Critical path diagrams B. Program evaluation review technique (PERT) diagrams C. Function point analysis (FPA) D. Gantt charts

You are correct, the answer is D. A. Critical path diagrams are used to determine the critical path for the project that represents the shortest possible time required for completing the project. B. Program evaluation review technique (PERT) diagrams are a critical path method (CPM) technique in which three estimates (as opposed to one) of time lines required to complete activities are used to determine the critical path. C. Function point analysis (FPA) is a technique used to determine the size of a development task, based on the number of function points. D. Gantt charts help to identify activities that have been completed early or late through comparison to a baseline. Progress of the entire project can be read from the Gantt chart to determine whether the project is behind, ahead of or on schedule.

To minimize the cost of a software project, quality management techniques should be applied: Select an answer: A. as close to their writing (i.e., point of origination) as possible. B. primarily at project start to ensure that the project is established in accordance with organizational governance standards. C. continuously throughout the project with an emphasis on finding and fixing defects primarily through testing to maximize the defect detection rate. D. mainly at project close-down to capture lessons learned that can be applied to future projects.

You are correct, the answer is C. A. Quality assurance (QA) should start as early as possible but continue through the entire development process. B. Only performing QA during the start of the project will not detect problems that appear later in the development cycle. C. While it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is that the earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work. D. Capturing lessons learned will be too late for the current project. Additionally, applying quality management techniques throughout a project is likely to yield its own insights into the causes of quality problems and assist in staff development.

An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the: Select an answer: A. EDI trading partner agreements. B. physical controls for terminals. C. authentication techniques for sending and receiving messages. D. program change control procedures.

You are correct, the answer is C. A. The electronic data interchange (EDI) trading partner agreements would minimize exposure to legal issues, but would not resolve the problem of unauthorized transactions. B. Physical control is important and may provide protection from unauthorized people accessing the system but would not provide protection from unauthorized transactions by authorized users. C. Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. D. Change control procedures would not resolve the issue of unauthorized transactions.

During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: Select an answer: A. increased maintenance. B. improper documentation of testing. C. improper acceptance of a program. D. delays in problem resolution.

You are correct, the answer is C. A. The method of testing used will not affect the maintenance of the system. B. Quality assurance and user acceptance testing are often led by business representatives according to a defined test plan. The combination of these two tests will not affect documentation. C. The major risk of combining quality assurance testing and user acceptance testing is that the users may apply pressure to accept a program that meets their needs even though it does not meet quality assurance standards. D. The method of testing should not affect the time lines for problem resolution.

Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested? Select an answer: A. A snapshot B. Tracing and tagging C. Logging D. Mapping

You are correct, the answer is D. A. A snapshot records the flow of designated transactions through logic paths within programs. B. Tracing and tagging shows the trail of instructions executed during an application. C. Logging is the activity of recording specific tasks for future review. D. Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed.

Which of the following would BEST help to detect errors in data processing? A. Programmed edit checks B. Well-designed data entry screens C. Segregation of duties D. Hash totals

You are correct, the answer is D. A. Automated controls such as programmed edit checks are preventive controls. B. Automated controls such as well-designed data entry screens are preventive controls. C. Enforcing segregation of duties primarily ensures that a single individual does not have the authority to both create and approve a transaction; this is not considered to be a method to detect errors, but a method to help prevent errors. D. The use of hash totals is an effective method to reliably detect errors in data processing. A hash total would indicate an error in data integrity.

During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy. D. ensure that the procedure had been approved.

You are correct, the answer is D. A. Because the software package has already been acquired, it is most likely that it is in use and therefore compatible with existing hardware. Further, the first responsibility of the IS auditor is to ensure that the purchasing procedures have been approved. B. Because there was no request for proposal (RFP), there may be no documentation of the expectations of the product and nothing to measure a gap against. The first task for the IS auditor is to ensure that the purchasing procedures were approved. C. The licensing policy should be reviewed to ensure proper licensing but only after the purchasing procedures are checked. D. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities.

A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? Select an answer: A. Key verification B. One-for-one checking C. Manual recalculations D. Functional acknowledgements

You are correct, the answer is D. A. Key verification is used for encryption and protection of data but not for data mapping. B. One-for-one checking validates that transactions are accurate and complete but does not map data. C. Manual recalculations are used to verify that the processing is correct but do not map data. D. Acting as an audit trail for electronic data interchange (EDI) transactions, functional acknowledgments are one of the main controls used in data mapping.

An advantage of using sanitized live transactions in test data is that: Select an answer: A. all transaction types will be included. B. every error condition is likely to be tested. C. no special routines are required to assess the results. D. test transactions are representative of live processing.

You are correct, the answer is D. A. Sanitized production data may not contain all transaction types. The test data may need to be modified to ensure that all data types are represented. B. Not all error types are sure to be tested because most production data will only contain certain types of errors. C. The results can be tested using normal routines, but that is not a significant advantage of using sanitized live data. D. Test data will be representative of live processing; however, it is important that all sensitive information in the live transaction file is sanitized to prevent improper data disclosure.

An IS auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which of the following will BEST identify the issues to be resolved? Select an answer: A. Self-assessment B. Reverse engineering C. Prototyping D. Gap analysis

You are correct, the answer is D. A. Self-assessment may be one of the viable options with which to start; however, the results only indicate current conditions, not desired state, and tend to become subjective. B. Reverse engineering is a technique applied to analyze how a device or program works and is not appropriate here. C. Prototyping is applied to ensure that user requirements are met prior to being engaged in a full-blown development process. D. Gap analysis would be the best method to identify issues that need to be addressed in the reengineering process. Gap analysis indicates which parts of current processes conform to good practices (desired state) and which do not.

Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing? Select an answer: A. Test data covering critical applications B. Detailed test plans C. Quality assurance (QA) test specifications D. User acceptance test specifications

You are correct, the answer is D. A. Test data will usually be created during the system testing phase. B. Detailed test plans are created during system testing. C. Quality assurance (QA) test specifications are set out later in the development process. D. A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase.

An IS auditor is assigned to audit a software development project, which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take? A. Report that the organization does not have effective project management. B. Recommend the project manager be changed. C. Review the IT governance structure. D. Review the business case and project management.

You are correct, the answer is D. A. The organization may have effective project management practices and still be behind schedule or over budget. B. There is no indication that the project manager should be changed without looking into the reasons for the overrun. C. The organization may have sound IT governance and still be behind schedule or over budget. D. Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to bringing the project over budget and over schedule.

The editing/validation of data entered at a remote site would be performed MOST effectively at the: Select an answer: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site.

You are correct, the answer is D. A. Validating data prior to transmission is the most efficient method and saves the effort of transmitting or processing invalid data. However, due to the risk of errors being introduced during transmission it is also good practice to re-validate the data at the central processing site. B. Validating data prior to transmission is the most efficient method and saves the effort of transmitting or processing invalid data. However, due to the risk of errors being introduced during transmission it is also good practice to re-validate the data at the central processing site. C. To validate the data after it has been transmitted is not a valid control. D. It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.

Regression testing is undertaken PRIMARILY to ensure that: Select an answer: A. system functionality meets customer requirements. B. a new system can operate in the target environment. C. applicable development standards have been maintained. D. applied changes have not introduced new errors.

You are correct, the answer is D. A. Validation testing is used to test the functionality of the system against detailed requirements to ensure that software construction is traceable to customer requirements. B. Sociability testing is used to see whether the system can operate in the target environment without adverse impacts on the existing systems. C. Software quality assurance and code reviews are used to determine whether development standards are maintained. D. Regression testing is used to test for the introduction of new errors in the system after changes have been applied.